Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 14:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
333d61791f040d35464c2cf84930ab00c7b1198bf65eabaa9103c17a5b8d7b47.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
333d61791f040d35464c2cf84930ab00c7b1198bf65eabaa9103c17a5b8d7b47.exe
-
Size
454KB
-
MD5
06241bd1d858ecd7dfbb1021e97c3a15
-
SHA1
96168875e1b52223de7e2beae79cb419f5ae4c7e
-
SHA256
333d61791f040d35464c2cf84930ab00c7b1198bf65eabaa9103c17a5b8d7b47
-
SHA512
43aa10a2aac5a7fe1a3033a0902b4eb05df01db5d6e058a8ba38acb9e81f911ce65b7d5dd05f775ddce950a8776a042930d485d41661e88f6a58782db65acafc
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe/:q7Tc2NYHUrAwfMp3CD/
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4504-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2580-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/32-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2808-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2652-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/952-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1764-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3156-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/772-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1252-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3824-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2468-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-516-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-530-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2788-600-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2504-620-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-630-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1956-661-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-941-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-1089-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-1132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3160-1756-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4488 lxrflff.exe 3532 bttnhh.exe 2276 xrllfff.exe 3344 hnntnn.exe 4480 nhnhbt.exe 3064 xfxrxrx.exe 4180 thhbtn.exe 2580 lfllxrx.exe 2280 jjvdp.exe 3028 bhbthh.exe 4164 ffffrfx.exe 2856 7rxfxrx.exe 1452 nbhbtn.exe 3744 rfrlffx.exe 32 9thbbn.exe 3520 xlrllff.exe 4188 bbbtnb.exe 3676 7frxlrr.exe 1492 htbtnn.exe 2820 dvdvd.exe 2808 3fxxrrx.exe 2936 bnnhtn.exe 3168 7djdd.exe 2664 frrlxrf.exe 4684 thhhbb.exe 1576 jjvvp.exe 4176 bntntn.exe 2652 hnnnht.exe 2384 dvpvv.exe 4992 fxxrrlf.exe 4688 3nhthb.exe 3904 xflxfxx.exe 3128 htbtth.exe 5096 pjjdp.exe 1256 5flflff.exe 2356 3vpjd.exe 676 lxflfxr.exe 3368 htthbt.exe 1232 pddpj.exe 4040 3ppjd.exe 1756 rllrfxl.exe 2076 nhbthh.exe 5100 jjjdv.exe 3460 xrllffr.exe 952 tnhbnh.exe 3536 pdvdj.exe 1764 rfxrffr.exe 3868 hnbnbt.exe 4780 dvpdp.exe 2920 rrlrxlr.exe 4760 xlrrrxx.exe 4388 bthnhn.exe 2680 pvpvd.exe 3156 fxfrlfx.exe 4488 btthbb.exe 4364 dddvj.exe 2360 rlxrffr.exe 3488 llrllrl.exe 4976 jdjvd.exe 1376 pjpjj.exe 4480 xrrlfxr.exe 3972 nbtbbn.exe 1164 vpdpj.exe 4944 fxlllll.exe -
resource yara_rule behavioral2/memory/4504-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2580-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/32-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2808-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2652-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/952-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1764-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/772-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1252-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3824-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2468-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-530-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-600-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2504-620-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-630-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1956-661-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-941-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-1132-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnntnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7llxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xrfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4504 wrote to memory of 4488 4504 333d61791f040d35464c2cf84930ab00c7b1198bf65eabaa9103c17a5b8d7b47.exe 82 PID 4504 wrote to memory of 4488 4504 333d61791f040d35464c2cf84930ab00c7b1198bf65eabaa9103c17a5b8d7b47.exe 82 PID 4504 wrote to memory of 4488 4504 333d61791f040d35464c2cf84930ab00c7b1198bf65eabaa9103c17a5b8d7b47.exe 82 PID 4488 wrote to memory of 3532 4488 lxrflff.exe 83 PID 4488 wrote to memory of 3532 4488 lxrflff.exe 83 PID 4488 wrote to memory of 3532 4488 lxrflff.exe 83 PID 3532 wrote to memory of 2276 3532 bttnhh.exe 84 PID 3532 wrote to memory of 2276 3532 bttnhh.exe 84 PID 3532 wrote to memory of 2276 3532 bttnhh.exe 84 PID 2276 wrote to memory of 3344 2276 xrllfff.exe 85 PID 2276 wrote to memory of 3344 2276 xrllfff.exe 85 PID 2276 wrote to memory of 3344 2276 xrllfff.exe 85 PID 3344 wrote to memory of 4480 3344 hnntnn.exe 86 PID 3344 wrote to memory of 4480 3344 hnntnn.exe 86 PID 3344 wrote to memory of 4480 3344 hnntnn.exe 86 PID 4480 wrote to memory of 3064 4480 nhnhbt.exe 87 PID 4480 wrote to memory of 3064 4480 nhnhbt.exe 87 PID 4480 wrote to memory of 3064 4480 nhnhbt.exe 87 PID 3064 wrote to memory of 4180 3064 xfxrxrx.exe 88 PID 3064 wrote to memory of 4180 3064 xfxrxrx.exe 88 PID 3064 wrote to memory of 4180 3064 xfxrxrx.exe 88 PID 4180 wrote to memory of 2580 4180 thhbtn.exe 89 PID 4180 wrote to memory of 2580 4180 thhbtn.exe 89 PID 4180 wrote to memory of 2580 4180 thhbtn.exe 89 PID 2580 wrote to memory of 2280 2580 lfllxrx.exe 90 PID 2580 wrote to memory of 2280 2580 lfllxrx.exe 90 PID 2580 wrote to memory of 2280 2580 lfllxrx.exe 90 PID 2280 wrote to memory of 3028 2280 jjvdp.exe 91 PID 2280 wrote to memory of 3028 2280 jjvdp.exe 91 PID 2280 wrote to memory of 3028 2280 jjvdp.exe 91 PID 3028 wrote to memory of 4164 3028 bhbthh.exe 92 PID 3028 wrote to memory of 4164 3028 bhbthh.exe 92 PID 3028 wrote to memory of 4164 3028 bhbthh.exe 92 PID 4164 wrote to memory of 2856 4164 ffffrfx.exe 93 PID 4164 wrote to memory of 2856 4164 ffffrfx.exe 93 PID 4164 wrote to memory of 2856 4164 ffffrfx.exe 93 PID 2856 wrote to memory of 1452 2856 7rxfxrx.exe 94 PID 2856 wrote to memory of 1452 2856 7rxfxrx.exe 94 PID 2856 wrote to memory of 1452 2856 7rxfxrx.exe 94 PID 1452 wrote to memory of 3744 1452 nbhbtn.exe 95 PID 1452 wrote to memory of 3744 1452 nbhbtn.exe 95 PID 1452 wrote to memory of 3744 1452 nbhbtn.exe 95 PID 3744 wrote to memory of 32 3744 rfrlffx.exe 96 PID 3744 wrote to memory of 32 3744 rfrlffx.exe 96 PID 3744 wrote to memory of 32 3744 rfrlffx.exe 96 PID 32 wrote to memory of 3520 32 9thbbn.exe 97 PID 32 wrote to memory of 3520 32 9thbbn.exe 97 PID 32 wrote to memory of 3520 32 9thbbn.exe 97 PID 3520 wrote to memory of 4188 3520 xlrllff.exe 98 PID 3520 wrote to memory of 4188 3520 xlrllff.exe 98 PID 3520 wrote to memory of 4188 3520 xlrllff.exe 98 PID 4188 wrote to memory of 3676 4188 bbbtnb.exe 99 PID 4188 wrote to memory of 3676 4188 bbbtnb.exe 99 PID 4188 wrote to memory of 3676 4188 bbbtnb.exe 99 PID 3676 wrote to memory of 1492 3676 7frxlrr.exe 100 PID 3676 wrote to memory of 1492 3676 7frxlrr.exe 100 PID 3676 wrote to memory of 1492 3676 7frxlrr.exe 100 PID 1492 wrote to memory of 2820 1492 htbtnn.exe 101 PID 1492 wrote to memory of 2820 1492 htbtnn.exe 101 PID 1492 wrote to memory of 2820 1492 htbtnn.exe 101 PID 2820 wrote to memory of 2808 2820 dvdvd.exe 102 PID 2820 wrote to memory of 2808 2820 dvdvd.exe 102 PID 2820 wrote to memory of 2808 2820 dvdvd.exe 102 PID 2808 wrote to memory of 2936 2808 3fxxrrx.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\333d61791f040d35464c2cf84930ab00c7b1198bf65eabaa9103c17a5b8d7b47.exe"C:\Users\Admin\AppData\Local\Temp\333d61791f040d35464c2cf84930ab00c7b1198bf65eabaa9103c17a5b8d7b47.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4504 -
\??\c:\lxrflff.exec:\lxrflff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
\??\c:\bttnhh.exec:\bttnhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
\??\c:\xrllfff.exec:\xrllfff.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
\??\c:\hnntnn.exec:\hnntnn.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3344 -
\??\c:\nhnhbt.exec:\nhnhbt.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4480 -
\??\c:\xfxrxrx.exec:\xfxrxrx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\thhbtn.exec:\thhbtn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4180 -
\??\c:\lfllxrx.exec:\lfllxrx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\jjvdp.exec:\jjvdp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\bhbthh.exec:\bhbthh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\ffffrfx.exec:\ffffrfx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4164 -
\??\c:\7rxfxrx.exec:\7rxfxrx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\nbhbtn.exec:\nbhbtn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
\??\c:\rfrlffx.exec:\rfrlffx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3744 -
\??\c:\9thbbn.exec:\9thbbn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:32 -
\??\c:\xlrllff.exec:\xlrllff.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
\??\c:\bbbtnb.exec:\bbbtnb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
\??\c:\7frxlrr.exec:\7frxlrr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
\??\c:\htbtnn.exec:\htbtnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
\??\c:\dvdvd.exec:\dvdvd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\3fxxrrx.exec:\3fxxrrx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\bnnhtn.exec:\bnnhtn.exe23⤵
- Executes dropped EXE
PID:2936 -
\??\c:\7djdd.exec:\7djdd.exe24⤵
- Executes dropped EXE
PID:3168 -
\??\c:\frrlxrf.exec:\frrlxrf.exe25⤵
- Executes dropped EXE
PID:2664 -
\??\c:\thhhbb.exec:\thhhbb.exe26⤵
- Executes dropped EXE
PID:4684 -
\??\c:\jjvvp.exec:\jjvvp.exe27⤵
- Executes dropped EXE
PID:1576 -
\??\c:\bntntn.exec:\bntntn.exe28⤵
- Executes dropped EXE
PID:4176 -
\??\c:\hnnnht.exec:\hnnnht.exe29⤵
- Executes dropped EXE
PID:2652 -
\??\c:\dvpvv.exec:\dvpvv.exe30⤵
- Executes dropped EXE
PID:2384 -
\??\c:\fxxrrlf.exec:\fxxrrlf.exe31⤵
- Executes dropped EXE
PID:4992 -
\??\c:\3nhthb.exec:\3nhthb.exe32⤵
- Executes dropped EXE
PID:4688 -
\??\c:\xflxfxx.exec:\xflxfxx.exe33⤵
- Executes dropped EXE
PID:3904 -
\??\c:\htbtth.exec:\htbtth.exe34⤵
- Executes dropped EXE
PID:3128 -
\??\c:\pjjdp.exec:\pjjdp.exe35⤵
- Executes dropped EXE
PID:5096 -
\??\c:\5flflff.exec:\5flflff.exe36⤵
- Executes dropped EXE
PID:1256 -
\??\c:\3vpjd.exec:\3vpjd.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2356 -
\??\c:\lxflfxr.exec:\lxflfxr.exe38⤵
- Executes dropped EXE
PID:676 -
\??\c:\htthbt.exec:\htthbt.exe39⤵
- Executes dropped EXE
PID:3368 -
\??\c:\pddpj.exec:\pddpj.exe40⤵
- Executes dropped EXE
PID:1232 -
\??\c:\3ppjd.exec:\3ppjd.exe41⤵
- Executes dropped EXE
PID:4040 -
\??\c:\rllrfxl.exec:\rllrfxl.exe42⤵
- Executes dropped EXE
PID:1756 -
\??\c:\nhbthh.exec:\nhbthh.exe43⤵
- Executes dropped EXE
PID:2076 -
\??\c:\jjjdv.exec:\jjjdv.exe44⤵
- Executes dropped EXE
PID:5100 -
\??\c:\xrllffr.exec:\xrllffr.exe45⤵
- Executes dropped EXE
PID:3460 -
\??\c:\tnhbnh.exec:\tnhbnh.exe46⤵
- Executes dropped EXE
PID:952 -
\??\c:\pdvdj.exec:\pdvdj.exe47⤵
- Executes dropped EXE
PID:3536 -
\??\c:\rfxrffr.exec:\rfxrffr.exe48⤵
- Executes dropped EXE
PID:1764 -
\??\c:\hnbnbt.exec:\hnbnbt.exe49⤵
- Executes dropped EXE
PID:3868 -
\??\c:\dvpdp.exec:\dvpdp.exe50⤵
- Executes dropped EXE
PID:4780 -
\??\c:\rrlrxlr.exec:\rrlrxlr.exe51⤵
- Executes dropped EXE
PID:2920 -
\??\c:\xlrrrxx.exec:\xlrrrxx.exe52⤵
- Executes dropped EXE
PID:4760 -
\??\c:\bthnhn.exec:\bthnhn.exe53⤵
- Executes dropped EXE
PID:4388 -
\??\c:\pvpvd.exec:\pvpvd.exe54⤵
- Executes dropped EXE
PID:2680 -
\??\c:\fxfrlfx.exec:\fxfrlfx.exe55⤵
- Executes dropped EXE
PID:3156 -
\??\c:\btthbb.exec:\btthbb.exe56⤵
- Executes dropped EXE
PID:4488 -
\??\c:\dddvj.exec:\dddvj.exe57⤵
- Executes dropped EXE
PID:4364 -
\??\c:\rlxrffr.exec:\rlxrffr.exe58⤵
- Executes dropped EXE
PID:2360 -
\??\c:\llrllrl.exec:\llrllrl.exe59⤵
- Executes dropped EXE
PID:3488 -
\??\c:\jdjvd.exec:\jdjvd.exe60⤵
- Executes dropped EXE
PID:4976 -
\??\c:\pjpjj.exec:\pjpjj.exe61⤵
- Executes dropped EXE
PID:1376 -
\??\c:\xrrlfxr.exec:\xrrlfxr.exe62⤵
- Executes dropped EXE
PID:4480 -
\??\c:\nbtbbn.exec:\nbtbbn.exe63⤵
- Executes dropped EXE
PID:3972 -
\??\c:\vpdpj.exec:\vpdpj.exe64⤵
- Executes dropped EXE
PID:1164 -
\??\c:\fxlllll.exec:\fxlllll.exe65⤵
- Executes dropped EXE
PID:4944 -
\??\c:\bhnhbb.exec:\bhnhbb.exe66⤵PID:456
-
\??\c:\tntntn.exec:\tntntn.exe67⤵PID:772
-
\??\c:\vdjdd.exec:\vdjdd.exe68⤵PID:1284
-
\??\c:\7frrxxx.exec:\7frrxxx.exe69⤵PID:4576
-
\??\c:\nnbbhh.exec:\nnbbhh.exe70⤵PID:4928
-
\??\c:\9pvpp.exec:\9pvpp.exe71⤵PID:2240
-
\??\c:\dvddv.exec:\dvddv.exe72⤵PID:4164
-
\??\c:\fxxfxff.exec:\fxxfxff.exe73⤵PID:1724
-
\??\c:\hhhbbb.exec:\hhhbbb.exe74⤵PID:2856
-
\??\c:\1tbtnn.exec:\1tbtnn.exe75⤵PID:4444
-
\??\c:\3pjpv.exec:\3pjpv.exe76⤵PID:4832
-
\??\c:\lrfffxr.exec:\lrfffxr.exe77⤵PID:2684
-
\??\c:\bntthh.exec:\bntthh.exe78⤵PID:4032
-
\??\c:\7jdjv.exec:\7jdjv.exe79⤵PID:3648
-
\??\c:\xflffxx.exec:\xflffxx.exe80⤵PID:2032
-
\??\c:\xrxrrrl.exec:\xrxrrrl.exe81⤵PID:3720
-
\??\c:\nhhbbb.exec:\nhhbbb.exe82⤵PID:1352
-
\??\c:\dpvpj.exec:\dpvpj.exe83⤵PID:5016
-
\??\c:\7jpdv.exec:\7jpdv.exe84⤵PID:3692
-
\??\c:\9lllfff.exec:\9lllfff.exe85⤵PID:4872
-
\??\c:\ntnhhb.exec:\ntnhhb.exe86⤵PID:4828
-
\??\c:\jdvpd.exec:\jdvpd.exe87⤵PID:4672
-
\??\c:\dvvpj.exec:\dvvpj.exe88⤵PID:1852
-
\??\c:\lfllfrl.exec:\lfllfrl.exe89⤵PID:1252
-
\??\c:\9bhbnh.exec:\9bhbnh.exe90⤵PID:1448
-
\??\c:\pddpj.exec:\pddpj.exe91⤵PID:4936
-
\??\c:\9xfrlff.exec:\9xfrlff.exe92⤵PID:2208
-
\??\c:\tnhbtn.exec:\tnhbtn.exe93⤵PID:4616
-
\??\c:\pvvjv.exec:\pvvjv.exe94⤵PID:4176
-
\??\c:\rlflfff.exec:\rlflfff.exe95⤵PID:3888
-
\??\c:\5hbtnh.exec:\5hbtnh.exe96⤵PID:1328
-
\??\c:\7hhbbb.exec:\7hhbbb.exe97⤵PID:5028
-
\??\c:\lxrffxx.exec:\lxrffxx.exe98⤵PID:400
-
\??\c:\flllllf.exec:\flllllf.exe99⤵PID:3776
-
\??\c:\hbhhtt.exec:\hbhhtt.exe100⤵PID:1464
-
\??\c:\vpppd.exec:\vpppd.exe101⤵PID:1192
-
\??\c:\pjjjv.exec:\pjjjv.exe102⤵PID:3128
-
\??\c:\frrrxfx.exec:\frrrxfx.exe103⤵PID:540
-
\??\c:\pvpvv.exec:\pvpvv.exe104⤵PID:1012
-
\??\c:\3djdv.exec:\3djdv.exe105⤵PID:1688
-
\??\c:\5rrfrlx.exec:\5rrfrlx.exe106⤵PID:3260
-
\??\c:\5hhbtn.exec:\5hhbtn.exe107⤵PID:3824
-
\??\c:\jdpjj.exec:\jdpjj.exe108⤵PID:4320
-
\??\c:\9fllxxx.exec:\9fllxxx.exe109⤵PID:1072
-
\??\c:\tnnbth.exec:\tnnbth.exe110⤵PID:1420
-
\??\c:\1nthtn.exec:\1nthtn.exe111⤵PID:2288
-
\??\c:\jvdvp.exec:\jvdvp.exe112⤵PID:1136
-
\??\c:\lfxrrrr.exec:\lfxrrrr.exe113⤵PID:3636
-
\??\c:\7htnhh.exec:\7htnhh.exe114⤵PID:3460
-
\??\c:\nntbth.exec:\nntbth.exe115⤵PID:4464
-
\??\c:\jjdvp.exec:\jjdvp.exe116⤵PID:1968
-
\??\c:\ffrlxxx.exec:\ffrlxxx.exe117⤵PID:2720
-
\??\c:\5hhbnh.exec:\5hhbnh.exe118⤵PID:2976
-
\??\c:\dpvjd.exec:\dpvjd.exe119⤵PID:2716
-
\??\c:\9rrflfr.exec:\9rrflfr.exe120⤵PID:1476
-
\??\c:\thbtnh.exec:\thbtnh.exe121⤵PID:4500
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-